Enable the firewall to inspect decrypted SSL/TLS traffic
for threats during SSL/TLS handshakes.
Where can I use
What do I need?
URL Filtering license
For Prisma Access, this is usually included
with your Prisma Access license.
Inspect SSL/TLS handshakes for potential threats . Examining
SSL/TLS handshakes improves network security and optimizes legacy
and Advanced URL Filtering subscriptions. When you enable SSL/TLS
handshake inspection, Advanced URL Filtering uses data in the handshake
to identify the traffic and enforce applicable Security policy rules as
early as possible.
Here’s how it works
First, the Client Hello message is
scanned for the Server Name Indication (SNI) field,
a TLS protocol extension that contains the hostname of a requested
website. Then, the URL category and server destination of the traffic
is determined from the hostname. Next, traffic is enforced based
on its URL category. If a threat is detected, such as a malicious
web server in the SNI field, or if a Security policy rule blocks
the website, it terminates the handshake and ends the web session immediately.
If no threat is detected and the traffic is allowed per policy,
the SSL/TLS handshake is completed and application data is exchanged
through the secure connection.
URL filtering response
pages do not display for sites blocked during SSL/TLS handshake
inspections because the firewall resets the HTTPS connection. The
connection reset ends SSL/TLS handshakes and prevents user notification
by response page. The browser displays a standard connection error message
You can find details of successful SSL/TLS handshakes
and sessions in the Traffic and Decryption logs. Details of failed
sessions can be found in URL filtering logs; Decryption logs aren’t
generated for web sessions blocked during SSL/TLS handshakes.